Who is responsible for cloud security anyway?
The question of whether not migrating to the cloud is good for security has been widely answered with a resounding ‘yes’, which is why organizations are increasingly relying on cloud-based technology and services. for their business operations.
A more nuanced conversation, however, revolves around the question of who ultimately bears the responsibility for cloud security.
The answer to this question is complicated by the fact that the cloud supply chain includes not only the customer and the cloud service provider, but potentially a variety of third parties in the form of infrastructure service providers, integrators. systems and other partners.
To determine where the responsibility for security lies, it is imperative that companies look at the risks and weaknesses in their extended cloud supply chain, and then develop an accountability matrix to mitigate those risks.
Adopting this best practice approach to security, governance and compliance is increasingly the only way for organizations that deal with sensitive and confidential data – from law firms to financial services and other businesses that deal with sensitive and confidential data. engage in knowledge work – to ensure their information is protected at the highest levels.
Roles and responsibilities
The first step is to determine which part of “cloud security” the service provider is responsible for and which parts the consumer of those services is responsible for dealing with.
Typically, the customer – the consumer of the cloud service – is responsible for determining which end users are allowed to access the service, and they typically achieve this through identity and access management solutions.
Meanwhile, the actual physical infrastructure on which the data is hosted will become a supplier’s responsibility: not just the servers themselves, but the security controls around. access to these physical devices. For example, is anyone allowed to walk around the data center, or is access carefully controlled and limited to a highly controlled list? This part of the matrix is squarely in the hands of the seller.
Given the large share of responsibility that falls on the provider, customers will want to ensure that the cloud service provider not only uses a zero trust model, but a contactless model.
The zero trust framework challenges the idea of trust in any form, be it the trust of networks, trust between host and applications, or even the trust of super users. or administrators. This framework only works well, however, if zero contact is at the heart of it, and human vulnerabilities have been largely removed through automation.
Working with service providers who have implemented a contactless model clarifies the key elements of the shared responsibility model, as it ensures that the provider has no technical means to access customer data. In other words, it provides the certainty that this part of the accountability matrix is as tight as possible.
Kick in the tires
As part of risk mitigation, customers are advised to get rid of not only the cloud service itself, but also the company they are going to partner with.
How mature are they as an organization? What is the maturity, in particular, of their security and compliance function? Do they have certifications demonstrating their adherence to globally recognized security and data protection frameworks, such as ISO 27001, ISO 22301 and SOC 2?
Another important question is whether they have outsourced various responsibilities for their cloud service to other third-party service providers – and whether you, as a customer, have good visibility into those arrangements.
After all, everything is fine if the cloud provider you signed up with ticks all the right boxes when it comes to maturity level and certifications, but outsources key parts of the process to organizations that do not meeting those criteria is a whole different story.
Beyond clarity on the extended supply chain, it’s also important that customers do their due diligence on the cloud provider as a whole. For example, are they running next-generation antivirus or intrusion detection? How do they protect their corporate endpoints?
These areas may have nothing to do with delivering their cloud offering, but they tell you a lot about the organization and its operations in general. Customers want to know that any the information they share with the provider – a project proposal with details considered confidential, for example – is secure, not just the data that they will store in the cloud services that they will purchase from the provider.
No weak links
Ultimately, security in the cloud is a shared enterprise between an ecosystem of participants comprising the customer, the cloud provider, and the extended supply chain. Like any chain, this interconnected arrangement is only as strong as its weakest link – and a weakness or dereliction of duty in one area or by one party can compromise sensitive and privileged data.
By providing a clearly defined accountability matrix – and taking an in-depth look at the parties responsible for various aspects of the matrix – organizations can ensure a robust approach to shared responsibility for cloud security. By doing so, they can experience all the benefits of the cloud for their business operations, without any compromises or compromises.
Martin Ward is Director of Security, Governance and Compliance, I manage